Skip to main content

Linux Kernel CVE-2026-46139

| EUVDEUVD-2026-32766 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v8jf-78w3-v9hm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.1 MEDIUM

C:L added over official C:N because 2 bytes of kernel heap data are transmitted to a remote Samba server; all other metrics align with official vector.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Red Hat
7.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:42 vuln.today
CVSS changed
Jun 24, 2026 - 17:38 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

smb: client: use kzalloc to zero-initialize security descriptor buffer

Commit 62e7dd0a39c2d ("smb: common: change the data type of num_aces to le16") split struct smb_acl's __le32 num_aces field into __le16 num_aces and __le16 reserved. The reserved field corresponds to Sbz2 in the MS-DTYP ACL wire format, which must be zero [1].

When building an ACL descriptor in build_sec_desc(), we are using a kmalloc()'ed descriptor buffer and writing the fields explicitly using le16() writes now. This never writes to the 2 byte reserved field, leaving it as uninitialized heap data.

When the reserved field happens to contain non-zero slab garbage, Samba rejects the security descriptor with "ndr_pull_security_descriptor failed: Range Error", causing chmod to fail with EINVAL.

Change kmalloc() to kzalloc() to ensure the entire buffer is zero-initialized.

[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428

AnalysisAI

The Linux kernel SMB client transmits uninitialized kernel heap data in the reserved Sbz2 field of Windows ACL security descriptors to remote Samba servers, causing chmod operations on SMB-mounted filesystems to fail with EINVAL. This regression was introduced by commit 62e7dd0a39c2d, which split a struct field but left a newly created 2-byte reserved field unpopulated due to use of kmalloc() instead of kzalloc(). No public exploit exists (EPSS 0.02%, no KEV listing); the practical impact is an operational disruption of file permission management on Samba-backed mounts, with a secondary minor information disclosure of heap contents to the remote server.

Technical ContextAI

The affected code resides in the Linux kernel CIFS/SMB client subsystem, specifically in build_sec_desc() within fs/smb/client/, which constructs Windows-format security descriptors for ACL operations over SMB. Commit 62e7dd0a39c2d refactored struct smb_acl by splitting a 32-bit __le32 num_aces field into a 16-bit __le16 num_aces and a 16-bit __le16 reserved field, corresponding to the Sbz2 field in the MS-DTYP ACL wire format specification (which mandates Sbz2 must be zero). Because the descriptor buffer was allocated with kmalloc() rather than kzalloc(), only explicitly assigned fields are written - the Sbz2/reserved bytes remain as whatever slab allocator garbage occupies that memory. CWE-908 (Use of Uninitialized Resource) directly describes this root cause: a resource is allocated and used before being properly initialized. Samba's NDR unmarshalling layer enforces the MS-DTYP constraint and rejects any security descriptor where Sbz2 is non-zero, triggering 'ndr_pull_security_descriptor failed: Range Error'. The CPE string cpe:2.3:o:linux:linux_kernel covers the affected kernel builds across multiple stable branches.

RemediationAI

The primary fix is upgrading to a patched Linux kernel version: 6.12.88, 7.0.7, 7.1-rc3, or 6.18.30 (note: 6.18.30 appears in EUVD data and should be independently verified for your distribution). The kernel fix changes kmalloc() to kzalloc() in build_sec_desc(), ensuring the entire descriptor buffer is zero-initialized before field population. Patch commits are available at https://git.kernel.org/stable/c/4c3ed344a970aad51388ac3b0145b98318f0e21f, https://git.kernel.org/stable/c/5e489c6c47a2ac15edbaca153b9348e42c1eacab, https://git.kernel.org/stable/c/9bdb2ca31368b7671949dfb94a5d57ffccd01edd, https://git.kernel.org/stable/c/be1ef9512a3f5a755895c24f31b334342f4aa15b, and https://git.kernel.org/stable/c/941a1e6eb35440336913afc88a82103291956d5d. For systems where kernel patching is not immediately feasible, a compensating control is to refrain from executing chmod or chown on files within Samba-hosted SMB mounts until the kernel is updated; this avoids triggering build_sec_desc() with the uninitialized buffer. This workaround has the trade-off of restricting ACL management operations on those shares. Given the Medium CVSS and low EPSS, routine patch cycle remediation is appropriate unless Samba ACL operations are business-critical.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46139 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy